I have a SP2016 site collection
The Farm is composed as follows:
Domain server = DomainSPxxx
Frontend server = FrontendSP
Database server = DatabaseSP
The site collection has two extensions:
- default (http): with Windows Auth access to the DomainSPxxx.com domain
- internet with mixed access (https): with Windows Auth access to the DomainSPxxx.com domain and Form Based access with LDAP provider always associated with the DomainSPxxx.com domain
When a domain account authenticates with Windows Auth the username displayed is: userx@DomainSPxxx.com when it is connected with ldap it will be like '0#.f|ldapmember:userx|userx@DomainSPxxx.com'
On the extension default only the administrative accounts are used.
This extension is used exclusively for service / maintenance activities. For example, the document search crawl is performed on it.
Problem.
I have developed a workflow that performs operations on SP lists.
Given that :
The workflow manager is configured correctly
The user profile is configured correctly
That the two services are active.
The Worflow app for the site is active and correctly configured throw appinv.asxp page
StsApplication Pool Load profile is true
Worflow can use app feature is active
Explain problem
In practice, when the workflow from the https internet extension is launched, for each operation performed (for example reading records) and as if the system requires the presence of the domain user for the document library.
Example:
user '0 # .f | ldapmember: userx | userx@DomainSPxxx.com' collaborator on list 'TestList'
If the workflow performs a read operation on document library 'TestList' with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com', this fails indicating resource access problems. I checked the SP log.
Below is an except:
CAML query: <View Scope = "RecursiveAll"> <Query> <Where> <Eq> <FieldRef Name = "ID" /> <Value Type = "Counter"> 8 </Value> </Eq> </Where>
</Query> <ViewFields> <FieldRef Name = "ContentTypeId" /> <FieldRef Name = "Title" /> <FieldRef Name = "ID" />
<FieldRef Name = "Created" /> <FieldRef Name = "Author" LookupId = "TRUE" /> <FieldRef Name = "Modified" />
<FieldRef Name = "Editor" LookupId = "TRUE" />....
Exception occured in scope Microsoft.SharePoint.SPListItemEntityCollection.GetById. Exception = System.ArgumentException: Element does not exist.
It may have been deleted by another user.
Actually the element exists I tried to launch the query from url with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com' connected and the data is returned
It is as if the calls made from the workflow claim access only through domain accounts authenticated with Windows auth.
In the case of the above example it is not enough to give the right permissions on the collection for the account '0#.f|ldapmember:userx|userx@DomainSPxxx.com',
but to make the calls work you must give the same permissions for the account userx@DomainSPxxx.com.
Below is an extract from the log with some records that make me suspicious:
This is what I noticed:
Medium Name=Request (GET:https://testsite.domainspxxx.com/_api/web/lists(guid'4255a977-6694-4080-b065-0c685b28538b')/Items(8))
High Reached maximum number of failed machines based on ping results for this routing group
Unexpected User-Agent is empty
High Did not find token claim in token. ClaimType: 'scope'.
High Did not find token claim in token. ClaimType: 'scp'.
High Did not find token claim in token. ClaimType: 'clientappid'.
High Did not find token claim in token. ClaimType: 'appid'.
High Did not find token claim in token. ClaimType: 'roles'.
High Token is for a windows account.
Medium Couldn't find a user using property 'WorkEmail' of value 'userx@DomainSPxxx.it'
High GetUserProfile_RetrieveUser_Cache ExpectedFailure: Microsoft.Office.Server.UserProfiles.UserNotFoundException:
An error was encountered while retrieving the user profile. at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData
(UserProfileManager objManager, Nullable1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail, Boolean doNotResolveToMasterAccount) at Microsoft.Office.Server.UserProfiles.UserProfile.RetrieveUser(String strAcct, Guid gAcct, Byte[] bSid, Nullable
1 recordId, Boolean doNotResolveToMasterAccount, Boolean loadFullProfile, Boolean loadColleagueRecordIds, String strEmail)
Medium Leaving Monitored Scope: (UserProfile.RetrieveUserFromCache) Execution Time=8.87822334961566; CPU Milliseconds=3; SQL Query Count=1;
Parent=Executing the user mapping operation in GetMappedIdentityClaim()
Medium Couldn't find a user using property 'SID' of value 'System.Byte[]'
Unexpected SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: InputIdentity doesn't conatin a PrimarySid claim.
Thanks